TL;DR
- Over 40 malicious Firefox extensions dubbed “FoxyWallet” mimicked MetaMask, Coinbase Wallet, Trust Wallet, and more on Mozilla’s store, siphoning seed phrases and private keys once installed.
- Attackers weaponized fake five-star ratings and constantly tweaked extension IDs, injecting hidden scripts and remote code loaders to evade detection and steal credentials.
- To avoid instant fund loss, users should purge unofficial wallet add-ons, rotate or migrate to fresh wallets, adopt hardware key storage, and pressure Mozilla Firefox for stricter extension reviews.
Security researchers at Koi Security have lifted the veil on a sprawling phishing operation they’ve dubbed “FoxyWallet.” A minimum of 40 harmful Firefox extensions were stealthily posing as well-known cryptocurrency wallets, including MetaMask, Coinbase Wallet, Trust Wallet, and Exodus.
Each Firefox add-on promised seamless integration with its namesake service, only to siphon seed phrases and private keys once users clicked “Install.” Koi’s deep dive revealed that many of these imposters were live on the official Mozilla Firefox Add-ons store, preying on untold numbers of unsuspecting crypto holders.
Sophisticated Impersonation Techniques
These extensions didn’t just rely on stolen icons and brandable names. They weaponized fake five-star ratings and glowing reviews, some stretching into the hundreds, to lull users into a false sense of security. KOI’s investigation confirms the campaign has been running since April 2025, with new variants popping up as recently as last week.
Behind the scenes, threat actors continuously tweak metadata, swapping out extension IDs and tweaking code comments, some in Russian, to evade automated detection and prolong their operation.
Inside the Credential Theft Mechanism
Once installed, each FoxyWallet clone injects a hidden content script into every browser tab. The script listens for wallet interactions, password entries, account exports, and signature requests, and quietly forwards sensitive details to remote command-and-control servers.
Koi Security’s analysis uncovered a remote code loader, meaning attackers could push stealth updates to extend functionality or target new wallet interfaces. This modular design ensures the campaign remains agile, slipping past standard static analysis and fooling even vigilant users.
User Impact and Security Recommendations
Victims of this scam risk losing their entire crypto balances within minutes. To defend against FoxyWallet and its kin, security firms urge users to audit their installed extensions immediately, removing any wallet tools not downloaded directly from official project sites.
Experts also recommend migrating funds to fresh wallets, rotating seed phrases, and leveraging hardware devices for private-key storage. On the broader front, Koi is pressing Mozilla Firefox to tighten extension review processes, flagging suspicious review patterns and blocking remote-code loaders.
